Malware Analysis Report

2024-11-13 14:25

Sample ID 210813-an61xpx6e6
Target 9.exe
SHA256 a6960926d530880cde47a08146cb733b1b69fad3cd30b8af4d7afa999254e3c0
Tags
echelon spyware stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6960926d530880cde47a08146cb733b1b69fad3cd30b8af4d7afa999254e3c0

Threat Level: Known bad

The file 9.exe was found to be: Known bad.

Malicious Activity Summary

echelon spyware stealer suricata

Echelon

suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-13 14:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-13 14:54

Reported

2021-08-13 14:57

Platform

win7v20210410

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9.exe"

Signatures

Echelon

stealer spyware echelon

suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9.exe

"C:\Users\Admin\AppData\Local\Temp\9.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.235.247.117:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 f0554721.xsph.ru udp
N/A 141.8.193.236:80 f0554721.xsph.ru tcp

Files

memory/1056-60-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/1056-62-0x0000000002120000-0x0000000002191000-memory.dmp

memory/1056-63-0x000000001AE70000-0x000000001AE72000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-13 14:54

Reported

2021-08-13 14:57

Platform

win10v20210408

Max time kernel

23s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9.exe"

Signatures

Echelon

stealer spyware echelon

suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9.exe

"C:\Users\Admin\AppData\Local\Temp\9.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.225.245.108:443 api.ipify.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 f0554721.xsph.ru udp
N/A 141.8.193.236:80 f0554721.xsph.ru tcp

Files

memory/764-114-0x00000215093A0000-0x00000215093A1000-memory.dmp

memory/764-116-0x0000021523960000-0x00000215239D1000-memory.dmp

memory/764-117-0x00000215097B0000-0x00000215097B2000-memory.dmp